Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you are using so you don’t have to scan projects all the time. This solution fixed vulnerabilities quickly - even ones we didn’t know were there.
SonarQube is easy to deploy and configure. It also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. It is great if you want to quickly focus on functional requirements. This solution is very easy to use and understand.
Snyk has some scalability issues, especially if you are using a lot of code. This may potentially slow things down, affecting productivity. The notifications regarding vulnerabilities seem too broad to me. I think it would be better if there was a filtering process to more precisely report varied vulnerabilities. Snyk is also lacking slightly on the documentation end; we can’t always figure out how to fix an issue because proper documentation is not there, so it takes us longer to find the fix.
There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from this solution
Conclusion
These tools provide many of the same valuable problem-solving traits and resolutions. They are both very good. We liked Snyk better for its ease of use and great integration with other tools. We also found that the information Snyk provided with regard to issues and resolutions were what our team liked best.
@reviewer1650858 : Did you use Snyk for both SAST and SCA analysis. If yes, for SAST, did you upload source code to synk platform for getting results. As per documentation, they need source code to be uploaded for 24 hrs after which they remove it.
SonarQube Server and Snyk compete in the domain of software quality and security assessment tools. SonarQube seems to have the upper hand in comprehensive code quality management, while Snyk excels in security vulnerability detection in open-source libraries.Features: SonarQube Server supports over 20 programming languages and offers custom coding rules, quality profiles, and gates. Its graphical representation tools are highly praised by users. Snyk focuses on identifying security...
Snyk does a great job identifying and reducing vulnerabilities. This solution is fully automated and monitors 24/7 to find any issues reported on the internet. It will store dependencies that you are using so you don’t have to scan projects all the time. This solution fixed vulnerabilities quickly - even ones we didn’t know were there.
SonarQube is easy to deploy and configure. It also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. It is great if you want to quickly focus on functional requirements. This solution is very easy to use and understand.
Snyk has some scalability issues, especially if you are using a lot of code. This may potentially slow things down, affecting productivity. The notifications regarding vulnerabilities seem too broad to me. I think it would be better if there was a filtering process to more precisely report varied vulnerabilities. Snyk is also lacking slightly on the documentation end; we can’t always figure out how to fix an issue because proper documentation is not there, so it takes us longer to find the fix.
There were some security issues with our code that SonarQube did not find. Defining the quality of rules should be improved to ensure that low-performance code does not move forward to production. We would like to see better security scanning and statistical analysis from this solution
Conclusion
These tools provide many of the same valuable problem-solving traits and resolutions. They are both very good. We liked Snyk better for its ease of use and great integration with other tools. We also found that the information Snyk provided with regard to issues and resolutions were what our team liked best.
@reviewer1650858 : Did you use Snyk for both SAST and SCA analysis. If yes, for SAST, did you upload source code to synk platform for getting results. As per documentation, they need source code to be uploaded for 24 hrs after which they remove it.